diff --git a/rust/headless-client/src/lib.rs b/rust/headless-client/src/lib.rs
index 7e482f41c..963131a65 100644
--- a/rust/headless-client/src/lib.rs
+++ b/rust/headless-client/src/lib.rs
@@ -49,8 +49,8 @@ struct Cli {
 
     // TODO: It isn't good for security to pass the token as a CLI arg.
     // If we pass it as an env var, we should remove it immediately so that
-    // other processes don't see it. Reading it from a file is probably safest.
-    #[arg(env = "FIREZONE_TOKEN")]
+    // child processes don't inherit it. Reading it from a file is probably safest.
+    #[arg(env = "FIREZONE_TOKEN", hide = true)]
     pub token: Option<String>,
 
     /// Identifier used by the portal to identify and display the device.